In a cluttered office on the 16th floor of a Belltown building, a team of Secret Service agents and police detectives investigate and process evidence for a variety of computer crimes perpetrated in the Puget Sound region. Seattle Police Detective David Dunn has been working with the Secret Service’s Electronic Crimes Task Force for six years and has seen many local companies affected by cybercrime.

How did a Seattle police detective end up working for the Secret Service? After the Sept. 11th attacks there was a decrease in the number of arrests for white-collar crimes because so much law enforcement had gone after terrorism activity. So the Department of Justice put out a grant for the State of Washington to train some people. The DOJ gave me the funding and the Seattle Police Department donated my time. Then I was invited by the Secret Service to go through their five-week cybercrime training program. Very shortly thereafter the Secret Service started their task force in Seattle and I was invited to come down to that.

How large is the cybercrime task force and what do you investigate? There are four Secret Service agents, four full-time detectives and 20 part-time members. The task force meets every two weeks and the full-timers are here every day. We try to focus on regional and national-level cases. Fraud investigation is a very finite resource and we try to use the group as effectively as we can. One of our primary focuses is cases with a quantifiable loss or a significant number of victims. If you have a million victims with a $1 loss each, we can quantify that. Then we start looking for other chargeable crimes, like unlawful access or some kind of identity theft.

What’s the most common type of fraud you investigate? We do a lot of point-of-sale fraud investigations. Basically, those are intrusions into point-of-sale systems. It’s a rather prolific crime in the U.S. right now and it affects small businesses. Bad guys are remotely accessing (businesses’) systems, installing software that is able to steal credit card information and then (the criminals) are using or selling that information.

How do they access those point-of-sale systems? A lot of point-of-sale systems have some kind of remote access systems, for maintenance purposes, and sometimes it’s not turned off or someone forgets to turn off access. In some cases, there are multiple remote access points. The merchant might have access, a vendor might have access, the software provider might have access. We can see as many as four different remote access points for software for that system. Some are more hardened than that, but many have many open doors into the system.

How big a problem is point-of-sale system fraud? I have received five new cases in the last eight days. Each is a different merchant. We’re at the point now where we have to pick and choose which ones we’re going to notify just to clean it up (the breach) and which ones we’re going to go actively investigate.

What mistakes have you seen people make that put them more at risk and what is the impact if they’re breached? Primarily it’s complacency. They don’t understand the system that they own. They buy a business that has a point-of-sale system in place and they have no knowledge about that system. It just works, so they leave it alone. But (if they’re breached) the impact can be brutal. They can be required to pay for a private forensic audit that can run from $6,000 to $35,000, depending on which company comes out (to do the audit). The business may get fined by the card brands, (like Visa or American Express). They’re going to lose customers because people are going to realize relatively quickly where their card got breached. It can have a tremendous impact on businesses. I have seen businesses go out of business because of one of these breaches. Their margins were small enough that once this breach happened it took all the margins away and they were done. It’s not out of the realm of reaonsableness for this to cost $100,000 to $150,000 for a small merchant.

What can businesses do to prevent or prepare for these kinds of attacks? Ask themselves, do we have security on (the point-of-sale system)? Do we have remote access enabled? Who is authorized for remote access? What are the passwords for remote access? Do we have a VPN (virtual private network) installed or is it just an internet connection? Even some of the incremental (software) upgrades can help harden systems against breaches. There’s also insurance for if a breach does happen. People don’t think about it. The guy that runs a pizza shop, a sandwich shop? He makes sandwiches, he doesn’t think about cybercrime. But he’s a target.

Where do these criminals come from? We’ve arrested people who have lived in the city limits of Seattle, on the East Coast and we’ve made international arrests. We see a fair amount of it coming from the Eastern Bloc countries although we’re seeing stuff coming from Southeast Asia now too.

Are there other kinds of cyber-attacks people should be aware of? We’ve seen a reasonable amount of spear-phishing, particularly relating to ACH (wire) fraud. Spear-phishing means that, instead of a mass-marketed phishing attack where you send a million (deceptive) emails out to people, it’s a very directed attack often at the person at a business that controls finance. We’ll see the finance person receive a UPS pickup email, but really it’s a Zeus bot that installs a keystroke monitor on the person’s computer so they can get the banking credentials for that business. Medium-sized businesses will often have the ability to send a wire so if the bad guys can compromise the finance person’s account, they can use that person’s account when they go home and send wire transfers out. One of the things we recommend, even though marketing is a big part of growing your business, is that you don’t market who your finance person is. Cyber criminals are looking for that person. If someone’s related to finance, in many cases it’s in your best interest not to advertise who that person is. Don’t put them on your website, don’t say who they are, what their email is. That just makes them a target.